"Report spam/phishing" buttons
I think that would work fine if it they could be deactivated or "muted" for clueless users. That is, if admins get three obvious false positives from a certain user, remove the button for them or have him hitting it ignored by the system. After a while you'd only be getting reports from users who are smart enough to tell the difference between that and legitimate email (or at least smart enough that the admins have to do a little research before they figure out which category it belongs in)
Giving the ability to create more work for the admins to everyone, including the Dunning-Kruger class of users, is a bad idea. If only a few people get a particular spam or phishing email there isn't anything you can/should do about it anyway, if a lot of people get it then one of the smart users who gets to keep their report button privileges will get it and you'll be notified quickly enough.
Biting the hand that feeds IT
